UbuntuUpdates.org

Package "php7.4"

Name: php7.4

Description:

server-side, HTML-embedded scripting language (metapackage)
Latest version: 7.4.3-4ubuntu2.28
Release: focal (20.04)
Level: updates
Repository: main
Homepage: http://www.php.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "php7.4"

All arch deb package
APT INSTALL

Other versions of "php7.4" in Focal

Repository Area Version
base universe 7.4.3-4ubuntu1
base main 7.4.3-4ubuntu1
security universe 7.4.3-4ubuntu2.28
security main 7.4.3-4ubuntu2.28
updates universe 7.4.3-4ubuntu2.28

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.4.3-4ubuntu2.20 2024-02-27 14:06:54 UTC

  php7.4 (7.4.3-4ubuntu2.20) focal-security; urgency=medium

  * SECURITY UPDATE: Disclosure sensitive information
    - debian/patches/CVE-2023-3823.patch: sanitieze libxml2 globals
      before parsing in ext/dom/document.c, ext/dom/documentfragment.c,
      xml_global_state_entity_loader_bypass.phpt, ext/libxml/php_libxml.h,
      ext/simplexml/simplexml.c, xml_global_state_entity_loader_bypass.phpt,
      ext/soap/php_xml.c, ext/xml/compat.c, ext/xmlreader/php_xmlreader.c,
      xml_global_state_entity_loader_bypass.phpt, ext/xsl/xsltprocessor.c,
      ext/zend_test/test.c.
    - CVE-2023-3823
  * SECURITY UPDATE: Stack buffer overflow
    - debian/patches/CVE-2023-3824.patch: fix buffer mismanagement in
      phar_dir_read(), and in files ext/phar/dirstream.c,
      ext/phar/tests/GHSA-jqcx-ccgx-xwhv.phpt.
    - CVE-2023-3824

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 21 Feb 2024 10:54:34 -0300
Source diff to previous version
CVE-2023-3823 In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configura
CVE-2023-3824 In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insuf

Version: 7.4.3-4ubuntu2.19 2023-07-03 17:07:06 UTC

  php7.4 (7.4.3-4ubuntu2.19) focal-security; urgency=medium

  * SECURITY UPDATE: Missing error check and insufficient random
    bytes
    - debian/patches/CVE-2023-3247-1.patch: fixes missing randomness
      check and insufficient random byes for SOAP HTTP digest
      in ext/soap/php_http.c.
    - debian/patches/CVE-2023-3247-2.patch: fix wrong backporting of previous
      soap patch.
    - CVE-2023-3247

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 27 Jun 2023 12:49:59 -0300
Source diff to previous version
CVE-2023-3247 GHSA-76gg-c692-v2mw: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP

Version: 7.4.3-4ubuntu2.18 2023-02-28 17:06:57 UTC

  php7.4 (7.4.3-4ubuntu2.18) focal-security; urgency=medium

  * SECURITY UPDATE: password_verify() accepts invalid Blowfish hashes
    - debian/patches/CVE-2023-0567-1.patch: fix validation of malformed
      BCrypt hashes in ext/standard/crypt_blowfish.c,
      ext/standard/tests/crypt/bcrypt_salt_dollar.phpt.
    - debian/patches/CVE-2023-0567-2.patch: fix possible buffer overread in
      php_crypt() in ext/standard/crypt.c,
      ext/standard/tests/password/password_bcrypt_short.phpt.
    - CVE-2023-0567
  * SECURITY UPDATE: off-by-one in core path resolution function
    - debian/patches/CVE-2023-0568.patch: fix array overrun when appending
      slash to paths in ext/dom/document.c, ext/xmlreader/php_xmlreader.c,
      main/fopen_wrappers.c.
    - CVE-2023-0568
  * SECURITY UPDATE: DoS via excessive number of parts in HTTP form upload
    - debian/patches/CVE-2023-0662-1.patch: introduce
      max_multipart_body_parts INI in main/main.c, main/rfc1867.c.
    - debian/patches/CVE-2023-0662-2.patch: fix repeated warning for file
      uploads limit exceeding in main/rfc1867.c.
    - CVE-2023-0662

 -- Marc Deslauriers <email address hidden> Thu, 23 Feb 2023 07:43:23 -0500
Source diff to previous version
CVE-2023-0567 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3 ...
CVE-2023-0568 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolv
CVE-2023-0662 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consump

Version: 7.4.3-4ubuntu2.17 2023-01-23 16:07:56 UTC

  php7.4 (7.4.3-4ubuntu2.17) focal-security; urgency=medium

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-31631.patch: fix check
      unquotedlen size in ext/pdo_sqlite/sqlite_driver.c.
    - CVE-2022-31631

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 10 Jan 2023 12:37:44 -0300
Source diff to previous version

Version: 7.4.3-4ubuntu2.16 2023-01-16 19:07:24 UTC

  php7.4 (7.4.3-4ubuntu2.16) focal; urgency=medium

  [ Athos Ribeiro ]
  * d/rules: fix PHP_EXTRA_VERSION setting. (LP: #1989196)
  * Test PHP_EXTRA_VERSION setting with autopkgtest.

  [ Matthew Ruffell ]
  * No longer throw an error when serializing uninitialized typed
    properties with __sleep(), which makes serializing objects with
    __sleep() behave the same as serializing objects without
    __sleep(). (LP: #1999598)
    - d/p/lp-1999598-Fix-bug-79447.patch

 -- Athos Ribeiro <email address hidden> Thu, 15 Sep 2022 19:53:21 -0300
1989196 Fix PHP_EXTRA_VERSION setting
1999598 Don't throw an error when serializing uninitialized typed properties with __sleep()


About   -   Send Feedback to @ubuntu_updates